You can't always trust those mobile payment gadgets as far as you can throw them – bugs found by infosec duo

Tech needs to mature a little more, perhaps

Black Hat Those gadgets and apps used by small shops and traders to turn their smartphones and tablets into handheld sales terminals? Quite possibly insecure, you'll no doubt be shocked to discover.

These mobile terminals are often seen in cafes, gyms, and other modest-sized businesses to take non-cash payments. The merchant taps out a figure, you swipe your card through some device physically or wirelessly attached to the phone or tablet, and the transaction is handled electronically over the internet. Unfortunately, these relatively cheap devices are not always particularly secure, according to a nine-month study by Positive Technologies.

The probe was carried out by Leigh-Anne Galloway and Tim Yunusov, who started off looking at just two card readers. This quickly grew into a project that studied seven card reader models from four vendors – Square, SumUp, iZettle, and PayPal – and compared their operation in two different regions: US and Europe. Not all of them are or were vulnerable to attack, and any flaws discovered varied in severity.

Data flow ... how the various components of a mobile payment terminal system fit together. Card goes into a reader, which talks to a phone or tablet via Bluetooth, which talks to payment processors over the internet via an application

The duo told El Reg they found that after swiping a card through five of the card readers – gizmos from PayPal, SumUp, iZettle and two from Square – it was possible to trick the customer into spending more money than they expected.

A dodgy merchant or nearby miscreant could eavesdrop on the encrypted Bluetooth connection between a card reader and its mobile terminal, and tamper with the values so that the final bill is higher than the amount previously shown on the reader.

Below is a card reader that informed the customer the item they bought will cost a quid, when in reality, because the over-the-air connection between the gizmo and the phone was twiddled, the smartphone app thought a higher amount was authorized.

Stung ... The card reader says £1.00, but the payment app will bill the customer £1.23

The Positive Technologies pair also identified two terminals that can be sent arbitrary commands to change what's displayed on their screens. This means malicious software could tell a customer, via the card reader's display, to use a less secure method of payment, such as the magnetics-tripe rather than chip'n'PIN, or display "payment declined" to trick a cardholder into carrying out additional transactions, racking up a remarkable bill.

Lastly, two terminals – Miura-built devices for Square and PayPal – were identified as vulnerable to arbitrary code execution, allowing a miscreant to explore the device's file system, read from the PIN keypad in plaintext mode to snoop on codes, and intercept confidential so-called track 2 data from swiped payment cards before it is encrypted.

Here's one device, a Miura M010 reader, displaying a cute cat cartoon after it was infiltrated via a remote-code execution exploit, we're told:

Meow! A Nyan cat on a Miura M010 reader after a remote-code execution hack

Although the code execution flaws were severe, the ability to change the amounts charged during transactions was the biggest practical danger, PT's Galloway told El Reg. Anti-fraud mechanisms varied widely between vendors, and Galloway said this patchy security is due to the lack of maturity in mobile payment technology.

"If a product costs less than $100 it's not going to have some level of [security] development," Galloway said. "Some vendors are following PCI to the letter and only implementing minimum requirements."

Square, by contrast, is more mature. For example, it has run a bug bounty program since 2014 that has helped it to develop more sophisticated anti-fraud mechanism. Square's tech, we're told, will detect if a mobile phone used in conjunction with its terminals has been compromised.

Any bugs found were reported in April to the reader and app makers, who are in the process of patching, or have finished patching, the security blunders. Miura said it addressed the above code-execution flaw in a 2016 update. Square is phasing out its use of the M010 hardware, and PayPal has put in place mitigations.

Galloway and Yunusov presented their research, For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems, in more detail at this year's Black Hat USA conference in Las Vegas on Thursday. ®